Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

itwbennett writes "Macs aren't being hit with advanced persistent threat (APT) attacks, but that doesn't mean they're invulnerable, say researchers at iSec Partners. Speaking at the Black Hat conference in Las Vegas Wednesday, iSec founder Alex Stamos and his team of researchers took a look at the typical stages of an APT attack — and compared how the Mac would do versus Windows 7. Their conclusion: Macs provide good protection against the initial phases of the attack, but once the bad guys are on the network, it's a whole different story. 'They're pretty good for [protecting from] remote exploitation,' Stamos said. '[But] once you install OS X server you're toast.'"

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.

How many times are we going to get the same stories?

Until the Microsoft propaganda machine stops pumping them out, I suppose.

The article seems unlikely to be MS propaganda. Note that the writer quotes that one investigator (Rob Lee) as saying that he's never seen a compromised Mac, and he advises his clients to replace their compromised MS-Windows machines with Macs to prevent re-infection. Would a MS-paid writer be likely to put such suggestions in their article?

This does bring up a curious aspect of the "logic" behind all the claims that poor little MS is being picked on because it's so popular. If this were true, you'd think that a sensible person would simply refuse to buy anything with a MS logo. True, if you buy a Mac or Ubuntu or whatever rather than Windows, you machine might be attacked sometime in the remote future. But, since we "know" that no commercial systems are totally secure, it would make sense to choose a system that might be attacked in the far future over one that you know will be attacked repeatedly on the first day and probably compromised in the near future. You don't need to know the technical reason for this; you just need to be sensible enough to trade likely near-future failures for possible far-future failures.

So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda. I wouldn't think MS's marketers would be so stupid as to tell everyone such a good reason to avoid their brand. I wouldn't think a Windows fanboy would say this either, because it would amount to admitting that they intentionally bought a machine because it was highly likely to be compromised. But there doesn't seem to be any good reason for other vendors to make this suggestion, either, since it amounts to saying that their security isn't any better than Microsoft's. So who is really behind this bizarre bit of logic? Who profits from it?

I think russotto wasn't calling TFA Microsoft propaganda, but rather calling WrongSizeGlass' "Macs are only secure because they're less popular" comment Microsoft propaganda. Which it is, of course. Any argument that relies on security-through-obscurity is wrong, no matter how you try to dress it up. WrongSizeGlass and the zillion other posters who repeat this tired canard may not realize they're propagandizing for Microsoft, but that's what they're doing, sure enough. They should at least demand payment for their services.

We know for certain that OS/X is not secure, that there are in fact (A) unpatched local privilege escalation vulnerabilities, and (B) Safari is vulnerable to drive by code execution initiated by simply loading a web page.

Combine these two, and the conclusion that "Macs are only secure because they are less popular" is most certainly true.

Going further, Apple is also incapable of protecting iOS in spite of their extensive efforts to lock it down, that it too is vulnerable to drive-byes that will entirely

Microsoft gets attacked because the Line of Business applications run on Windows. How many large accounting systems, ERP systems, etc. run on OSX? Know anyone running a factory on OSX? How about a firm doing R&D and drafting blueprints and other technical documents on OSX?

OSX is not a target because there are very few people running OSX who have access to the systems with information that dedicated, skilled attackers want to get to. With Apple's incessant focus on the consumer space, little is likel

To be fair, Lockheed-Martin was hacked because they depended on a 3rd party (RSA) for a critical part of their security infrastructure.

When RSA subsequently had a massive data compromise, instead of letting their customers know what happened, they downplayed the ramifications of the breach. And RSA just won a pwnie [pwnies.com] for their efforts.

It's a fanboy response that goes right back to the early MSDOS days. It is of course currently irrelevant considering the number of other devices on the internet now. All those routers, modems, webservers etc out there are also popular and available 24/7 in hundreds of thousands per model or OS version to provide a potential botnet beyond the wildest dreams of a cracker - yet malware is currently only a Microsoft platform problem.

The numbers don't work out as well as you think. If you've got a pool of, say, a half million Linksys routers to target, some percentage of which are vulnerable, or a pool of 500m installed XP systems, some percentage of which are vulnerable, you're a lot better off focusing on XP than a Linksys router. (And the numbers for any given model of a router aren't anywhere near that when you count firmware and hardware revision changes.)

Plus, if you target a router (a $50 device with a slow CPU) you have high odd

You're puzzled who might be behind the propoganda because, perhaps, its not propoganda.

The fact of the matter is, if you are creating a targeted attack on a system, you don't care in the slightest what platform its on -- you are going to hand craft the attack for your specific target using no matter what vectors you have to. Look at Stuxnet as an example.

If you are creating a generic attack, where the value is in numbers, not in a specific target (stealing people's financial information, creating a spambot

1) Hacker sets up server with a big trap door2) Hacker takes the machine he wants to win and drives the browser through the big trap door3) Hacker willingly executes the instructions he set up in the big trap door4) Hacker wins a new MacBook Pro

That doesn't sound like a random attack in the wild to me. Compare that to MS servers sitting in a room somewhere minding their own business with absolutely no human interaction. They get hacked if you just wait long enough.

So I'm puzzled about who might be behind all this "MS is only attacked because it's so popular" propaganda

Might have something to do with the fact that the first machine to fall at Pwn2Own since its inception in 2007 has been a Mac, every time.
(2011 Pwn2Own writeup) [arstechnica.com]

The magic word is "Zero-Day". If you find 10 exploits for Windows a month before Pwn2Own, chances are high every single one of them have been exploited by somebody else the day of the contest - meaning you can't win with them. While Charlie Miller will dig out something he has found for last years contest, but nobody else did in the meantime.

So yeah, the fact that Macs keep "winning" Pwn2Own proves that Windows is attacked more. Not that its safer.

Uhhh...tell me how EXACTLY telling the equivalent of "water is wet" a MSFT propaganda piece? You sir might want to read this article on OSNews by the title of OS X - Safe, Yet Horribly Insecure [osnews.com] or is OSNews MSFT propaganda? it points out the Apple implementations of serveral technologies, when it has them, simply aren't up to snuff. Technologies such as DEP and ASLR either are not implemented or are implemented poorly.

Now Apple was able to get away with that with relative impunity simple because they weren'

Yeah, sure, MacDefender was a big nasty thing that required you to install it yourself, ooooh scary...

And yes, it required several "ok" clicks as well as the user inputting his/her admin password for the machine. Classic trojan behavior.

I actually stumbled upon a MacDefender "downloader site", do you know what it did? It showed a website that looked vaguely like a Finder window with a small "ZOMG VIRUSESSES!!!!11one" popup in the middle while it forced a download of the installer. Had I then actually run

Apparently you've never read about James Plamondon and his "Technical Evangelists" [groklaw.net]. The Combs-3096.pdf is a collection of his training manuals and describes "The Slog", and a real jewel you'll love called "The Stacked Panel". Then, I suppose, you've forgotten about the stuffed ISO committees, or the scam which gave expensive laptops to journalists in exchange for favorable stories about VISTA?

When his "work" was revealed in the Combs vs Microsoft trial Plamondon did a Mea Culpa, and now decries the tacti

Do you have any evidence to suggest that Microsoft is behind this story in some way? Any at all?

Apparently you've never read about James Plamondon and his "Technical Evangelists".

So the answer is no then.

Surely attempting to demean a study and its researchers by alluding to bad things done by a completely separate group of individuals (without any evidence linking the two) is exactly the kind of behaviour (of Plamondon) that you are decrying. The fact that Microsoft had technical evangelists does not mean that the opposition's products are without criticism, nor that such criticism will be sponsored by Microsoft. I have yet to see any indication that Robert McMillan or iSec Partners are shills for any company.

I don't know about iSec, but McMillan/IDG have a long history of being cosy with Microsoft, both financially, with product placement, and with repeating Microsoft PR stories. It's not exactly secret - just Google it.

Tell you what, why don't you google it and provide us with the appropriate link showing a financial link since you are the one making the allegation. Repeating press releases doesn't count, because that is why companies write press releases. If that is corruption, then all companies are doing it wrong.

The story came out a few hours ago and you want documented evidence now?

Microsoft has a loooong history of astroturfing, starting fake grass roots campaigns, etc.

OTOH, yes. There's a reason Macs don't have viruses and it's not because Macs are more secure, it's because there's no need for them in botnets yet (there's no shortage of Windows machines in sight so why go to the bother of coding for Mac...?)

Wash. Rinse Repeat.
Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly.

I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.

I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago - there was plenty of malware for Amigas and Ataris, even though their numbers were measured in thousands rather than millions.

So you reason that malware writers would do something because 20 years ago in a very different environment for different reasons people did something? The comparison is absurd.

Firstly 20 years ago malware looked different and had completely different goals. The vast majority of them were written for comical / destructive purposes not to make money. These days malware is a business and the ultimate goal is not to have malware which affects the user experience but rather is invisible to the user meanwhile exp

Malware writers would quite happily release malware for OSX if they could make it work

History disagrees.

In the first [Pwn2Own] contest [wikipedia.org], Dino A. Dai Zovi and Shane Macaulay worked together to take down the first MacBook Pro.[5] On the second day of the conference Macauley sent an email which redirected the user to a malicious site. The site was able to infect the machine with a client-side Javascript vulnerability which allowed arbitrary command execution.[6]

Each subsequent year isnt much better.

And why so smug anyways, Safari is already exploited on windows, as are Firefox, Quicktime, Java, Acrobat reader, and Flash-- all of which are usually installed and vulnerable on Macs (unless you think that PDFs somehow arent as dangerous on OSX).

Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)? Yea, enjoy your smugness while it lasts.

"[...] now, they are also more secure than PCs, thanks to several crucial security improvements in the operating system itself, Mac OS X 10.7 So says Dino A. Dai Zovi, an independent security consultant. Those operating system features now put Lion ahead of Windows 7, the latest version Microsoft’s operating system, whose leadership was forged from the fire of relentless attacks by hackers and malware writers, he says."

I've never seen one who does; preview's a decent PDF viewer (and does other things too such as image viewing). I don't know if it supports all the features of Acrobat Reader, but being without the "run arbitrary javascript without any attempt at safety" feature is Just Fine With Me.

Wasnt there a story some months back about a PDF that could launch arbitrary code on all 3 common platforms (OSX, Linux, Windows)?

Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.

It's like saying that a vulnerability in bash works on Windows, Linux, and OS X. Sure, you can run bash on Windows - I did for a while - but it's not something that most users do.

Only if you used Adobe's PDF reader. Given its security track record, you'd have to be crazy to do so. On OS X, the default PDF reader is Preview, which ships with the OS. On *NIX, there's typically some xpdf derivative like Evince. Windows is the only platform where the majority of users put up with Adobe Reader for PDFs.

...and here's where the "monopoly" card bites Microsoft. They can't include a (different) PDF reader with the OS, because if they did, Adobe would sue them for anti-competitive behavior.

Hell, the threat of anti-competitive lawsuits from Symantec keep Microsoft from shipping their own (already written) anti-virus with the OS!

You are implying that Macs must be more secure then, but that doesn't stack up either. Most viruses for Windows are trojans because Windows 7 is well protected against drive-by infections, and there are several browsers to contend with (IE7/8/9, Firefox 3/4, Chrome, Safari).

If they can trick a Windows user into clicking through all the warnings and entering their password to install some malware then they can trick a Mac user too. Your argument about Amiga and Atari viruses misses an important point: Back t

1) That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux [osnews.com] viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.

While I agree with your conclusion (that Windows is a less safe OS than Linux), your first point is completely illogical. The number of viruses released in a given year can be a function of market share without being a 1:1 function of market share. Criminals will always target the OS with the largest numbers of technically unsavvy users. Why double your efforts to increase your pool of potential victims by only ~10%?

Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.

Until a non-Windows OS is installed on a plurality of machines, Windows will be the primary target and have the most hackers going after it. The Pwn2Own contests have shown that Macs are plenty vulnerable when people are willing to put in the effort to go after them.

The guy who won all those Pwn2Own contest says that OSX Lion's security [nytimes.com] is now better than Windows 7.

Competition. If you put a Windows machine in a botnet, then it will be being attacked by those other 3 million malwares, and you may lose it. Insecure machines are probably already compromised, so you have a harder job because whatever malware is installed will be fighting you. In contrast, if you write a successful Mac worm, then that gives you a botnet comprising almost 10% of the total computers online with no competition.

The work needed to target MacOS is probably more than 2x because there are still plenty of XP machines out there which are an easy target compared to Vista and 7. IE9 doesn't support XP either, but is a critical update for Vista and 7 users.

One other point people seem to be missing is that the majority of Windows viruses are trojans, i.e. they trick the user into installing them. There is no reason why that would be less effective on Mac users.

One other point people seem to be missing is that the majority of Windows viruses are trojans, i.e. they trick the user into installing them. There is no reason why that would be less effective on Mac users.

To be honest, I believe THIS is the whole truth here: more-or-less all current viruses and malware are installed because the user does something to install them. Like e.g. planting a payload inside a pirated game or application is quite popular, works well, and it's totally and completely the user who is at fault. Not the OS. There is NO OS to date that can protect against that. No Linux, no OSX, no Windows.

That old saw about Microsoft being vulnerable because of its market share is hog wash. There were over 3 million viruses and Trojans released last year. Were it a simple matter of market share percentages than about 12% of those would be Linux [osnews.com] viruses and another 10-15% would be Mac viruses. But, they are not. Well over 99% of them are Windows viruses. Only 19% of Internet web servers are running Windows but they are the source of essentially all malware.

Logic fail. If there is an 80% chance that you will make $100 by wearing blue on mondays, and this is public knowledge, what percentage of people do you think will wear blue on mondays? 80%, or all of them?

Blaming Windows users for security holes that Microsoft keeps secret from them is worse than obscene.

And trying to pretend that most exploits arent through cross platform browser plugins is just ignorant.

Those inflated virus numbers probably also include the fact that viruses are recompiled and repacked daily-- and thus need a different virus definition to detect. How, you might ask, can they afford

I don't care how many pieces of malware are created aimed at Windows, Linux, MacOS or other flavours of Unix...the result that speaks for itself is that every year that they have had a hacker competition to see who can compromise and root a system where they compared Windows, Linux and MacOS, each of which has been secured by native experts...Windows has *always* been compromised, and I think it was always the *first* one compromised. MacOS, when it was compromised was second, and Linux was either the last

"Only 19% of Internet web servers are running Windows but they are the source of essentially all malware."

Absolute rubbish - JavaScript and iframe infections (often used to serve drive-by downloads of malware) affect all web servers, and often only require a stolen FTP password to work, or a PHP app with a security hole. The majority of web servers are still Linux, and that's where the the majority of web app served malware is.

This is often not Linux's fault - if the user has an FTP password saved on thei

Wash. Rinse Repeat.
Macs aren't as vulnerable because they don't have a big enough footprint so they aren't stumbling upon the infected sites or aren't being targeted directly. Windows, including Windows 7, is still more prevalent and more vulnerable.
How many times are we going to get the same stories? If the user is willing to do anything the app or websites tells them to, well, you can't protect them.

You appear to have missed the bit where TFA was almost the exact opposite of the usual:

According to the security researchers quoted, OSX was essentially never the initial foothold/desktop attack; but was judged to be as weak, or weaker, than alternatives when it came to the post-foothold internal attack phase.

Most Mac/Security stories are an argument between the "It's just obscure" camp and the "superior by design" camp. This article asserts "Obscure(enough to rarely/never be the social engineering in

Try a contest where the first person to break *any* system gets $10.000 or $15.000. Then you have pwn2own. And then you'll see that the attackers attack the system they believe most vulnerable first. Or they risk someone else does it. What you'd rather have, a MB pro + $5000 or a HP/Dell + $15.000?

Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.

Macs presented a challenge, and are highly desirable to own, so it's no surprise that security researchers concentrated efforts on pwn1ng them, so they could walk away with the coolest toy participating in Pwn2own

In other words... it's a contest that tends to select a predictable result every time: whichever the platform is most desirable hardware, as far as the participants are concerned.

You get $10k per target, which substantially exceeds the machine price, so while it's not perfectly objective it's not that far out of whack.

I do find this argument funny because it's essentially identical to the argument "Windows Exploits are more common because so many more people have Windows and therefore it's more rewarding to exploit Windows".

And also the first to be attacked. The contest isn't a simultaneous attack on all platforms, it is done sequentially with OS X being the first in line (and thus the first to fall). It's like claiming Joe is more bullet-proof than Jim because the gunman shot Jim first...

It does not mention keychain. I see that as an oversight - not a recommendation of its security.

Did you just imply that the National Security Agency is so bad at its job that when it examines an operating system for vulnerabilities, and writes up instructions on hardening it (which will presumably be used by other government agencies), key things are overlooked?

My problem is that the article makes it sound like they've found lots of huge flaws in the way Mac OS X handles passwords, yet it doesn't give even one specific example. It also talks about authentication policies for services that don't even involve authentication. And then it implies that all of these supposed flaws are somehow specific to Mac OS X Server, when none of the things listed are specific to the Server version of Mac OS X (or even specific to Mac OS X, with the exception of Apple Remote Deskt

Not sure if it's fixed now, but there was a report a few years ago that Apple was doing silly things with the Keychain. It used 128-bit AES, but the way that it used it meant that the effective key length was much shorter. This meant that it was feasible to brute-force the encryption.

Seriously. I got to that line and closed the tab. If 'it can be brute-force attacked' is the vulnerability then I guess the security is shot on anything that doesn't self destruct after 3 wrong password attempts. This story is my cue to get back to work....

Windows server looked after by a good sysadmin == secure.Mac server looked after by bad sysadmin == insecure.

As always, it's up to the people running it. Is any OS inherently secure, no, definitely not when there is a complete idiot looking after it.

Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is, "If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?" Because in real life, no matter how much you tell yourself you only hire top-notch people (or, if you're the sysadmin, tell yourself you're top-notch) most servers and networks are going to have admins who are neither the best nor the worst, but somewhere in the middle.

Yes, of course. But the relevant question for businesses deciding what kind of server setup to use is,

Security is a conscious process, it doesn't matter what OS you use as long as that process is kept conscious. Contrary to what Apple and the Security Industry say, no software is inherently secure or more secure then the others, security is entirely dependent on your (the sysadmins) procedures and awareness.

As for which OS for business, that's a decision to be made according to the needs of the business.

"If this system is looked after by an average sysadmin, how secure will it be relative to our other choices?"

Everyone has different strengths and weaknesses, the good sysadmins identify their own weaknesses. The poor syadmins ignore them. Good sysadmins adapt to changing environments, poor sysadmins change environments to suit them.

All of which is true, none of which changes the fact that in every job, there a few people who are very good at the job, a few who are very bad, and a whole bunch in the middle. Sysadmin work isn't so different from any other technical job as to change this.

I get your point fine; I just disagree with it. Yes, sysadmin work is a very large field with specialized skillsets. So are programming, and medicine, and all kinds of other technical fields. Does this mean there's no such thing as an average programmer, or average physician, or what-have-you? I maintain that the traits which make a good X are to be found in a broad range among people who choose any of these careers, with most X's falling in the middle of that range. Yeah, in your example, if you decid

Yes. Of course, stastically, the good sysadmin is more likely than market share would suggest to be running the mac server, because good sysadmins have a tendency to avoid windows wherever possible...

A good sysadmin can make anything secure and usable. They literally turn lead into gold (server iron into revenue).

But a good syadmin will avoid Mac because they make it so difficult to do anything useful with them. Want to avoid Windows, he deploys Linux, want an expensive proprietary solution, he'll have the IBM Rep on speed dial, "only another $40K for a system P processor card, a bargain sir".

Only a bad sysadmins are fanboys and make things harder on themselves.

Windows server looked after by a good sysadmin == secure.Mac server looked after by bad sysadmin == insecure.

The sad part is that much (most?) of being a good sysadmin consists of ensuring that you install security updates regularly. I've been close enough to embarrassing hacks on several servers to know what happened, and all (but one!) have been hacked as a result of a poor update policy. (The last one was due to a weak root password + passwordAuthentication enabled on ssh)

Most of the core MacOS X systems are not closed source. You can download most of them here [apple.com]. It's true that a lot of the GUI is closed source, but if you're talking about a remote exploit, you're probably hitting a lot of open source packages.

Metasploit only has a couple dozen exploits for OSX. On the windows side, it has a search field for Microsoft Security Bulletin ID [metasploit.com]. Metasploit is the lazy-man's way to hack, if you don't want to go through the trouble of finding your own exploits. That could partly explain the issue.

Not quite sure on the definition of an APT. Wikipeida says its generally a foreign state.I would think that due to core system generally having less holes in it, getting in without user execution would be harder. I don't think it matters in the end as you would still execute something, but.dmg are not instantly ran like exe.

I would also think getting the user to execute malicious code would be significantly harder. Base apple software is generally usable so you don't need to find replacements. People who b

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Win

And Mac OS X explicitly warns you if you are about to open an application downloaded from the Internet. This means that getting someone to run your code requires tricking them (through social engineering) into knowingly launching an application that they've never launched before, as opposed to tricking them into running your code by making it look like a JPEG file of Lindsay Lohan naked or whatever. Maybe Windows 7 does the same thing (I'm not sure), but that was at least historically a big problem on Windows.

In Windows, files downloaded from the internet has the origin written in an alternate datastream. If you execute such a file you get a warning (like in OS X), but then even if you choose to run the executable, it will run with low integrity. Low integrity is part of UAC and sandboxes the process so that it by default has only read access as the current user. Write access (safe a few cache locations) is completely blocked, safe a few safe cache locations. This is a major obstacle for anyone wanting to use a

Not the same thing. If you download a file on Windows 95 and have the default of hiding file extensions set, then you can get a.exe with an icon like an image file. You double click on it, expecting it to open in your image editor, and you are now running a trojan. The same was true of OS X until 10.5 (I think, maybe 10.6) - you could get a.app with an icon like an image or some other common file type, double click on it, and be running it. Now, you get a warning telling you that it's an application,

Nope, not true, unless there is a root compromise, rather than a normal user compromise. The keychain daemon runs as root. It communicates with other apps via Mach ports, which let it know the pid and the uid of the process requesting data. It then checks whether that binary has been modified since it last tried to access the keychain, and whether the (user, binary) has access to the specific key, and prompts the user to authorise it if it doesn't. If you find an exploit in Apache, for example, then thi